Shield Custom realm - need to extract the password

security

(Yashodhara) #1

Hi,

I have downloaded the shield-custom-realm-example from git and have been trying modify to suit our requirement, basically i need to use the custom-realm as a bridge to pass on the login credential to another system (Java app) which is going to authenticate and send back the User, Roles using a REST API.

So far all i did was to perform the rest API call in the Authenticate method in the CustomRealm.java, however i have one hick up, I am unable to fetch the Password from the message.getHeader(PW_HEADER) or request.header(USER_HEADER) and finally even from the Token of UsernamePasswordToken as the credentails() is encrypted.

Is there a way for me to get the Password out which i can pass on to the external authentication service.


(Jay Modi) #2

Can you please show the exact rest API call you are making (please include how you specify username and password) and the realm configuration you are using from the elasticsearch.yml file


(Yashodhara) #3

Hey Jay Thanks for the quick reply,

For the time being I am sending the username password in the URL with no encryption just to test out the realm part. so here is the code for the REST API

public User authenticate(UsernamePasswordToken token) {
	//get the user name and password from Token
    final String actualUser = token.principal();
	//below here the password is encrypted hence not working
    final String actualPassword = token.credentials();
       
	Client client = Client.create(); 
	WebResource webResource = client.resource("http://192.168.4.110:8080/RESTfulWebServiceExample/rest/ConversionService/UserPassword/"+actualUser+":"+actualPassword);
	ClientResponse response = webResource.accept("text/plain").get(ClientResponse.class);
	if (response.getStatus() == 200) {
		streamOutput = response.getEntity(String.class);
		if (!streamOutput.equals(null) && !streamOutput.isEmpty()) {

			resUserName = streamOutput.substring(0, streamOutput.indexOf(":"));
			String tempRoles = streamOutput.substring(streamOutput.indexOf(":") + 1);
			resUserRoles = tempRoles.split(":");

			return new User(resUserName, resUserRoles);

		}
	}
    return null;
} 

In the below method i thought of captruing password as it comes inside the realm in the Header, however when i debug i see that the password is always null, and the same goes with Transport message.

@Override
public UsernamePasswordToken token(RestRequest request) {
    String user = request.header(USER_HEADER);
    //I am unable to get the password here which at least i could use it to send in my URL for REST
    if (user != null) {
        String password = request.header(PW_HEADER);
        if (password != null) {         	
            return new UsernamePasswordToken(user, password);
        }
    }
    return null;
}

I have just used the same Custom realm configuration for elasticsearch.yml except that I am not pre passing the user credentials and roles.

shield.audit.enabled: true
shield:
authc:
realms:
custom:
type: custom
order: 0
native:
type: esusers
order: 1

Please let me know where am I going wrong


(Jay Modi) #4

so you are sending http://username:password@hostname ? If so, the browser converts that into basic authentication credentials and the extract token method needs to be changed to extract that way


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.